RISKS-LIST: RISKS-FORUM Digest Wednesday 18 January 1989 Volume 8 : Issue 10 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Speak nicely to your air hostess - or be blacklisted... (HCART) (Too) Intelligent Network News mailing (Ralph A. Shaw) Information protection in Europe (Steve Bellovin) Re: Losing systems -- and Structured Programming (Henry Spencer, Lynn R Grant, Steven C. Den Beste) Re: Ground proximity warning (Henry Spencer) WORM storage and archival records (RAMontante) Re: 3 vs. 2 engined airplanes (Steve Jay) Re: Hackers break open US bank networks (Jan Wolitzky) Evidence (Bill Murray) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. * RISKS MOVES SOON TO csl.sri.com. FTPable ARCHIVES WILL REMAIN ON KL.sri.com. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. FOR VOL i ISSUE j / ftp KL.sri.com / login anonymous (ANY NONNULL PASSWORD) / get stripe:risks-i.j ... (OR TRY cd stripe: / get risks-i.j ... Volume summaries in (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99). ---------------------------------------------------------------------- Date: Mon, 16 JAN 89 17:47:27 GMT From: HCART%VAX.OXFORD.AC.UK@CUNYVM.CUNY.EDU Subject: Speak nicely to your air hostess - or be blacklisted... From "Computing", January 12, 1989. US airline TWA is under investigation by the Data Protection Registrar after a passenger saw abusive information on a computer screen, describing him as "obnoxious". London-based systems engineer David Burns saw the screen when he inquired about some lost luggage on returning to Los Angeles airport from Hawaii in October. He asked for a screen print and found it contained details of all the comments he had made to TWA staff including 'Pax (passenger) said do something constructive', 'Pax hung up phone', 'Pax obnoxious'. He said most of the details were not entirely accurate. Burns wrote to the Data Protection Registrar after being given conflicting information by TWA about whether the records were deleted when the lost baggage was eventually found, or were kept for reference. John Lamidey, the assistant data protection registrar in charge of investigations, said Burns' complaints are 'enough for me to think we should look at it further'. He appointed an investigator to visit TWA and expects to report back this month. Burns said that, after returning from holiday and eventually recovering the lost suitcase from another airline, he rang TWA Baggage Services in London to see if the luggage was still recorded as missing. He was told it was. Three people, including the head of passenger service, told him the report which contained his details could not be given to him as it was not company policy, even though the data was kept on the system for three months. He then requested the information under the Data Protection Act. [[which gives those in the UK the right to see information held on computers about them, with certain exceptions dictated by national security, etc.]] Brian Johnson, manager of personnel and administration for TWA in the UK, wrote back to say 'no material is held by TWA by way of magnetic media which contains your name.' A TWA official said the data had been deleted. ------------------------------ Date: Fri, 13 Jan 89 12:55:07 est From: ras@rayssd.RAY.COM (Ralph A. Shaw) Subject: (Too) Intelligent Network News mailing Something I got in the mail today sounded more Orwellian than I liked, I thought I would pass it along. It was part of a subscription recruitment mailing from Intelligent Network News of Alexandria, Va. (Any security- minded Intelligence organizations based in Alexandria you can think of? :?) >"Intelligent networks will dominate our industry's future and force every >company to rethink the way they do business. > >For example: > > Someday the public switched telephone network might track you >down in New York to tell you, "There's a leak in the basement of your >house in Denver. The plumber has already been called. He's reviewed >the service history of yoyur address, and thinks that it's probably >time to replace the blow-out valve on your water heater. Please respond." >The repair could be complete, further damage avoided, and the bill >paid by the time you return home, all thanks to nationwide intelligent >network services. > ..... >Clearly, this evolution will create money-making opportunities for >those with the will and wits to recognize them. Yes, just what I'm afraid of... -- Ralph Shaw Raytheon Co. (SSD) ------------------------------ Date: Tue, 17 Jan 89 22:53:51 EST From: smb@research.att.com Subject: Information protection in Europe The October '88 issue of Cryptologia has an interesting article entitled ``European Needs and Attitudes Towards Information Security''. The author (a founder of a firm that devises cryptographic algorithms, and hence not an unbiased source) claims that the free market is driving banks and other financial institutions towards better protection of their data; he asserts that banks have suffered a loss of business when their inability to keep data confidential has been demonstrated. Of particular interest to this audience is his description of the (perceived) threats in Europe. Europeans do not particularly need protection against ``hackers'' or petty criminals. They need protection against organized crime, major corporations and governments. Such opponents are characterized by the presence of serious motivation (and therefor the willingness to expend significant sums to attack a system), access to substantial resources, and the possession or ability to purchase whatever technological expertise is required. He then goes on to relate three actual attacks. In the first, organized crime invested $5,000,000 up front in technical preparations; the gain (actual or potential isn't clear from the article) is estimated to be 100 times that. The second involves a government spying on bank data in another country; he implies, though does not state, that it was the U.S. government that did the spying. Apparently, the bank suffered serious loss of business when its vulnerability became known. Finally, he describes the plight of ``extractive industries'', whose competitors, both private and state-owned, regularly mount sophisticated electronic spying operations against them. If the claims are accurate, the difference in attitudes is fascinating. --Steve Bellovin ------------------------------ Date: Wed, 18 Jan 89 00:19:21 EST From: attcan!utzoo!henry@uunet.UU.NET Subject: Re: Losing systems -- and Structured Programming It is worth remembering that the original meaning of "structured programming" followed the English usage in which "structured" means, approximately, "organized", and that the usage or non-usage of certain control constructs was suggested as a means to that end, not an end in itself. One can often get a good laugh by doing a global substitution of "organized" for "structured" in a pronunciamento from either side -- it tends to make both sides' arguments sound ridiculous. As it should: it is silly to confuse organization with a list of permitted constructs, and equally silly to criticize the desire for well-organized code on the basis of such confusion. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Wed, 18 Jan 89 12:43 EST From: Lynn R Grant Subject: Structured Programming I have been a proponent of structured programming for many years, and I have found that there is really only one rule: think about the poor guy who is going to have to maintain the program you are writing. All the other rules about indentation and goto-lessness simply follow from that. The guy who ends up maintaining your program may be some rookie, or it may be a busy programmer who doesn't have time to carefully scrutinize your code, or it may be you six months down the road, after you've forgotten what you had in mind when you wrote the program. Whatever you can do to make it easier for this guy to understand your program will cut down the chances for errors (and will keep him from putting you on his bad-guy list after having to fight with your code). Lynn Gran Technical Consultant Computer Associates International, Inc. ------------------------------ Date: Wed, 18 Jan 89 10:12:51 -0500 From: denbeste@BBN.COM Subject: re: Losing Systems In Risks 8.9, David Marks (djm408@tijc02.UUCP) lays much of the blame for "losing systems" on the narrow attitude of management which they derived from the educational system. Briefly, his reasoning goes: 1. Business types don't learn about computers and don't care about them 2. Engineers don't learn about business and don't care about it 3. There is therefore no common ground on which to meet. Premise 2 is nearly completely true - the average software engineer couldn't care less about the realities of business. But I have not found Premise 1 to be true to anything like the same extent. No matter where I've worked, I am constantly running into business folks who are trying to understand computers - out of intellectual interest, "nift" factor, or the obvious fact that there is a shortage of computer-literate business people and thus it is a good way to advance a career (and the free market wins again...). I think that there is an entirely different reason for the failure of the projects cited three or four references ago: Usually a project like this is specified not by the ultimate users of the service the computer will provide, but rather by a supplier in the form of a consultant contracted to buy the hardware and write the software. The consultant has no vested interest in the resulting software working correctly - he only has a vested interest in the project being big and expensive. The consultant wins once the contract is signed - everything after that is less important. If those who have the need have no control, and those who have control have no need, then disaster will always strike. It doesn't even matter if they are talking to each other. Steven C. Den Beste, BBN Communications Corp., Cambridge MA denbeste@bbn.com(ARPA/CSNET/UUCP) harvard!bbn.com!denbeste(UUCP) ------------------------------ Date: Wed, 18 Jan 89 00:19:41 EST From: attcan!utzoo!henry@uunet.UU.NET Subject: Re: Ground proximity warning > "Note: the GPWS will not provide a warning if an airplane is flying > directly towards a vertical cliff." It's worth noting that solutions to this have been proposed and rejected. The problem with the standard GPWS is that it basically looks down, not forward, so it fails in the presence of abruptly-changing terrain. (The vertical cliff is only the extreme case; rapidly-rising terrain will give a warning, but often too late for it to be useful.) At least one company has proposed a more sophisticated scheme in which the "warning surface", so to speak, is not a point underneath the aircraft but a sort of ski-shaped surface extending a considerable distance forward. Nobody was interested, so the proposal was shelved. Henry Spencer at U of Toronto Zoology ------------------------------ Date: Wed, 18 Jan 89 00:46:42 EST From: RAMontante Subject: WORM storage and archival records Steve Phillipson proposes once-writable storage as a means to guarantee that archival records have not been tampered with. The idea is that the information, once recorded, can't be changed. The idea is fundamentally flawed, however, for reasons involving the digital nature of most such media. Typed or handwritten documents, photographs, audio tape recordings, all could be trusted (once) because you could detect alterations in them, AND ALSO because you could determine that the item you had was the original. The letters on a ypewriter have "personalized" defects, for example. More to the point, tape recorders and cameras add their own high-frequency losses or image blurs to the signals they record; and if you make a copy of the original tape or photo, there is unavoidable degradation of the information and addition of machine-related "noise" to brand the copy as such. Analog video tape is another example -- broadcast quality tapes are unusable after a few generations of copying. Digital media don't suffer from this degradation, though. I get a new program for my PC at home, put a blank disk of the same brand in the machine, and type "DISKCOPY". Strip the label off, and you can't tell which disk is the original. By the same token, if I have my "archived" Shakespearean sonnets on a WORM disk, I simply read an image of the disk into memory, edit a few lines and write the new image onto a fresh WORM disk. Presto -- bogus Shakespeare on a "tamper-proof" disk. ------------------------------ Date: Tue, 17 Jan 89 21:38:36 PST From: shj@ultra.UUCP (Steve Jay) Subject: Re: 3 vs. 2 engined airplanes In RISKS 8.9, Jordan Brown says > I don't believe a 727 can fly on one engine. It must have two. > A three-engine airplane has a higher probability of having a failure in > the first place, and when it does have a failure it then has two points > of failure, EITHER of which will cause an accident. I think he's wrong on both counts. I have no specific knowledge in this area, but I'm almost certain that a 727 CAN maintain level flight, at least a some altitudes, on one engine. Also, there was a highly publicized incident a couple of years ago when a Lockheed TriStar flying out of Florida almost crashed into the ocean because a mechanic had left out oil seals after maintenance on all three engines. As I remember it, the pilot got back safely only because he was able to keep one engine going. Even if a 3 engine plane can't stay level on one engine, it will certainly have a much lower rate of decent with one engine going than with none, giving the pilot a lot longer to deal with the problem or find a landing spot. Even assuming that a 3 engined plane needs two engines to fly, the odds of 2 engines failing on a 3 engined plane are much, much, smaller than the odds of 1 engine failing on a 2 engined plane. Steve Jay domain: shj@ultra.com Ultra Network Technologies Internet: ultra!shj@ames.arc.nasa.gov 101 Daggett Drive uucp: ...ames!ultra!shj San Jose, CA 95134 408-922-0100 ------------------------------ Date: Wed, 18 Jan 89 09:13 EST From: wolit@research.att.com Subject: Re: Hackers break open US bank networks Australian authorities are working around the clock ... leaks of supposedly securedial-up numbers for US defence sites, including anti-ballistic missile launch silos, ... The U.S. hasn't had any anti-ballistic missiles for more than a decade. I can only assume that the rest of the article is as accurate, especially since I've seen nothing about the "break-in" in the papers or news wires in this country. Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit (Affiliation given for identification purposes only) ------------------------------ Date: Wed, 18 Jan 89 12:15 EST From: WHMurray@DOCKMASTER.ARPA Subject: Evidence > In recent issues of RISKS, various people have lamented the loss >of confidence we are experiencing in archival records kept by computer. >The problem seems to me less of a computer problem than a media problem, >specifically, choosing media that is appropriate for archival storage. Would God that it were that simple. If freedom from modification were the only requirement for the medium, then there might be a solution. However, for an increasing number of applications light in glassor electricity in copper are the medium of choice for other reasons. We require controls for the integrity and confidentiality of data that are independent of both media and environment, and which can move with the data. Fortunately for us they are here. Digital signatures and envelopes can be combined to mimic the behavior of the media and environmental controls that we commonly use. All that is required is a little bit of trusted storage in which to store the private keys and a tiny trusted process in which to do the code conversions. Of course, I have just stated the requirement for both media and environmental controls. While they are still necessary, they are no longer sufficient. William Hugh Murray, Ernst & Whinney ------------------------------ End of RISKS-FORUM Digest 8.10 ************************